Внимание - возможно заражение сервера Вестой

[masterf]

Есть предположение, что Веста содержит вредоносный код. Объясню ситуацию
Есть хостинг на DigitalOcean, установил на VDS Весту. Только Весту. Добавил 3 домена. Больше ничего не делал. На следующий день получаю письмо от хостера - мой сервер атаковал NACF(National Agricultural Cooperative Federation). В результате сутки DigitalOcean не работал!

Текст письма

Dear LLC Sirius


I am a IT security manager of the NACF(National Agricultural Cooperative Federation).
I've received a report of unauthorized access from your site as shown below.
　
============================== Timezone of the Log is (GMT+9) ==============================
- Firewall Activity Log
　
TIMESTAMP SRC_IP DEST_IP DEST_PORT PROTOCOL
2014-01-14 18:39 мой ip 61.37.x.1 80 TCP
2014-01-14 18:39 мой ip 61.37.x.2 80 TCP
2014-01-14 18:39 мой ip 61.37.x.3 80 TCP
...
2014-01-14 18:39 мой ip 61.37.x.253 80 TCP
2014-01-14 18:39 мой ip 61.37.x.254 80 TCP
2014-01-14 18:39 мой ip 61.37.x.255 80 TCP
============================================================================================
　
Unfortunately, I may block this source IP address depending on degree of risk in order to defend the illegal access or attack.
I am seriously considering those unauthorized activities regardless of whether it was intentional or not.
Those activities and the possibility of additional illegal attempts can be great threat for our services.
I demand that you take appropriate steps to prevent a recurrence, and give me a feedback about the results of the investigation.
If you are not the correct person to be dealing with this incident, please forward this mail to the appropriate person.
　
Best Regards.
******************************

Please note that generating multiple abuse complaints in a short period of time may lead to your account being suspended.

[masterf]

И еще

We have detected abuse from the IP address ---------------------. See below for how we obtained your email address in case it is wrong. We would appreciate if you would investigate and take action as appropriate.

** THIS IP ADDRESS IS NULL ROUTED on our entire network, including peering and transit, for a period of time not exceeding 24 hours from the date and time of this email. YOU ARE NOT REQUIRED to reply to this email unless you need more information.

You can see more information on this incident by reviewing the data at http://darknet.superb.net/ip/-------------------- and log lines are given below. Please ask if you require any further information.

You may contact us at [email protected]

(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by an automated process.)

The recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information they provide derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email ([email protected]). Information about the Abuse Contact Database can be found here:
http://abusix.com/global-reporting/abuse-contact-db

abusix.com is neither responsible nor liable for the content or accuracy of this message.

Note: Local timezone is -0500 (EST)
/var/log/messages:Jan 13 06:44:03 darknet.superb.net Darknet: -------------------------- exceeded connection attempt threshold to tcp:2086 140 times in a 30 minute period
******************************

Please note that generating multiple abuse complaints in a short period of time may lead to your account being suspended.

[Deeryo]

Привет, скорей всего root пароль был слишком слабый и его подобрали.
Вообще надо смотреть историю логинов, другие логи, текущие процессы (ps axfuw).
Также можно проверить целостность установленных пакетов системы командой rpm -V для Centos, debsums для debian/ubuntu. Установить программу rkhunter и прогнать ее (rkhunter --update; rkhunter --check).

Я у себя настраиваю вот такие правила iptables в /etc/sysconfig/iptables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -m comment --comment "FTP" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m comment --comment "SSH" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport http -m comment --comment "HTTP" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport https -m comment --comment "HTTPS" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8083 -m comment --comment "Vesta" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports pop3,pop3s,imap,imaps -m comment --comment "Dovecot" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports smtp,smtps,submission -m comment --comment "Exim" -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

[nabbe]

Если ничего не делали фактически на сервере, проще пересоздать новый droplet с новой вестой, предварительно сменив пароль на ssh, после установки сразу настройте iptables или fail2ban

[masterf]

Если ничего не делали фактически на сервере, проще пересоздать новый droplet с новой вестой, предварительно сменив пароль на ssh, после установки сразу настройте iptables или fail2ban

Еще бы понять, что это вообще было....

[Deeryo]

Также стоить просмотреть сетевые соединения командами
netstat -naptu
lsof -Ts -i -n -P